def test_03_errors(self):
# unknown type
self.assertRaises(Exception, save_caconnector,
{"caconnector": "unknown", "type": "unknown"})
caobj = get_caconnector_object("not-existing")
self.assertEqual(caobj, None)
def revoke(self):
"""
This revokes the token. We need to determine the CA, which issues the
certificate, contact the connector and revoke the certificate
Some token types may revoke a token without locking it.
"""
TokenClass.revoke(self)
# determine the CA and its connector.
ti = self.get_tokeninfo()
ca_specifier = ti.get("CA")
log.debug("Revoking certificate {0!s} on CA {1!s}.".format(
self.token.serial, ca_specifier))
certificate_pem = ti.get("certificate")
# call CAConnector.revoke_cert()
ca_obj = get_caconnector_object(ca_specifier)
revoked = ca_obj.revoke_cert(certificate_pem)
log.info("Certificate {0!s} revoked on CA {1!s}.".format(revoked,
ca_specifier))
# call CAConnector.create_crl()
crl = ca_obj.create_crl()
log.info("CRL {0!s} created.".format(crl))
return revoked
def test_03_errors(self):
# unknown type
self.assertRaises(Exception, save_caconnector,
{"caconnector": "unknown", "type": "unknown"})
caobj = get_caconnector_object("not-existing")
self.assertEqual(caobj, None)
def update(self, param):
"""
This method is called during the initialization process.
:param param: parameters from the token init
:type param: dict
:return: None
"""
TokenClass.update(self, param)
request = getParam(param, "request", optional)
spkac = getParam(param, "spkac", optional)
certificate = getParam(param, "certificate", optional)
generate = getParam(param, "genkey", optional)
if request or generate:
# If we do not upload a user certificate, then we need a CA do
# sign the uploaded request or generated certificate.
ca = getParam(param, "ca", required)
self.add_tokeninfo("CA", ca)
cacon = get_caconnector_object(ca)
if request:
# During the initialization process, we need to create the
# certificate
x509object = cacon.sign_request(request,
options={"spkac": spkac})
certificate = crypto.dump_certificate(crypto.FILETYPE_PEM,
x509object)
elif generate:
# Create the certificate on behalf of another user.
# Now we need to create the key pair,
# the request
# and the certificate
# We need the user for whom the certificate should be created
user = get_user_from_param(param, optionalOrRequired=required)
keysize = getParam(param, "keysize", optional, 2048)
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, keysize)
req = crypto.X509Req()
req.get_subject().CN = user.login
# Add email to subject
if user.info.get("email"):
req.get_subject().emailAddress = user.info.get("email")
req.get_subject().organizationalUnitName = user.realm
# TODO: Add Country, Organization, Email
# req.get_subject().countryName = 'xxx'
# req.get_subject().stateOrProvinceName = 'xxx'
# req.get_subject().localityName = 'xxx'
# req.get_subject().organizationName = 'xxx'
req.set_pubkey(key)
req.sign(key, "sha256")
x509object = cacon.sign_request(crypto.dump_certificate_request(
crypto.FILETYPE_PEM, req))
certificate = crypto.dump_certificate(crypto.FILETYPE_PEM,
x509object)
# Save the private key to the encrypted key field of the token
s = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
self.add_tokeninfo("privatekey", s, value_type="password")
if certificate:
self.add_tokeninfo("certificate", certificate)
def update(self, param):
"""
This method is called during the initialization process.
:param param: parameters from the token init
:type param: dict
:return: None
"""
TokenClass.update(self, param)
request = getParam(param, "request", optional)
spkac = getParam(param, "spkac", optional)
certificate = None
if request:
ca = getParam(param, "ca", required)
self.add_tokeninfo("CA", ca)
# During the initialization process, we need to create the
# certificate
cacon = get_caconnector_object(ca)
x509object = cacon.sign_request(request,
options={"spkac": spkac})
certificate = crypto.dump_certificate(crypto.FILETYPE_PEM,
x509object)
else:
certificate = getParam(param, "certificate", optional)
if certificate:
self.add_tokeninfo("certificate", certificate)
def update(self, param):
"""
This method is called during the initialization process.
:param param: parameters from the token init
:type param: dict
:return: None
"""
TokenClass.update(self, param)
request = getParam(param, "request", optional)
spkac = getParam(param, "spkac", optional)
certificate = None
if request:
ca = getParam(param, "ca", required)
self.add_tokeninfo("CA", ca)
# During the initialization process, we need to create the
# certificate
cacon = get_caconnector_object(ca)
x509object = cacon.sign_request(request, options={"spkac": spkac})
certificate = crypto.dump_certificate(crypto.FILETYPE_PEM,
x509object)
else:
certificate = getParam(param, "certificate", optional)
if certificate:
self.add_tokeninfo("certificate", certificate)
def update(self, param):
"""
This method is called during the initialization process.
:param param: parameters from the token init
:type param: dict
:return: None
"""
TokenClass.update(self, param)
request = getParam(param, "request", optional)
spkac = getParam(param, "spkac", optional)
certificate = getParam(param, "certificate", optional)
generate = getParam(param, "genkey", optional)
if request or generate:
# If we do not upload a user certificate, then we need a CA do
# sign the uploaded request or generated certificate.
ca = getParam(param, "ca", required)
self.add_tokeninfo("CA", ca)
cacon = get_caconnector_object(ca)
if request:
# During the initialization process, we need to create the
# certificate
x509object = cacon.sign_request(request, options={"spkac": spkac})
certificate = crypto.dump_certificate(crypto.FILETYPE_PEM,
x509object)
elif generate:
# Create the certificate on behalf of another user.
# Now we need to create the key pair,
# the request
# and the certificate
# We need the user for whom the certificate should be created
user = get_user_from_param(param, optionalOrRequired=required)
keysize = getParam(param, "keysize", optional, 2048)
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, keysize)
req = crypto.X509Req()
req.get_subject().CN = user.login
# Add email to subject
if user.info.get("email"):
req.get_subject().emailAddress = user.info.get("email")
req.get_subject().organizationalUnitName = user.realm
# TODO: Add Country, Organization, Email
# req.get_subject().countryName = 'xxx'
# req.get_subject().stateOrProvinceName = 'xxx'
# req.get_subject().localityName = 'xxx'
# req.get_subject().organizationName = 'xxx'
req.set_pubkey(key)
req.sign(key, "sha256")
x509object = cacon.sign_request(
crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
certificate = crypto.dump_certificate(crypto.FILETYPE_PEM,
x509object)
# Save the private key to the encrypted key field of the token
s = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
self.add_tokeninfo("privatekey", s, value_type="password")
if certificate:
self.add_tokeninfo("certificate", certificate)
def test_02_db_caconnector(self):
pass
# save a CA connector
ca_id = save_caconnector({
"caconnector": "myCA",
"type": "local",
"cakey": "/opt/ca/key.pem",
"cacert": "/opt/ca/cert.pem"
})
self.assertTrue(ca_id > 0, ca_id)
# Update the CA connector
save_caconnector({
"caconnector": "myCA",
"type": "local",
"WorkingDir": "/opt/ca",
"Password": "******",
"type.Password": "******"
})
# check if connector is in DB
calist = get_caconnector_list()
self.assertEqual(len(calist), 1)
calist = get_caconnector_list(filter_caconnector_type="local")
self.assertEqual(len(calist), 1)
# check the config values of "myCA"
self.assertEqual(calist[0].get("data").get("WorkingDir"), "/opt/ca")
self.assertEqual(calist[0].get("data").get("cakey"), "/opt/ca/key.pem")
# get the CA connector list without a config
calist = get_caconnector_list(return_config=False)
self.assertEqual(len(calist), 1)
# check that there are no values
self.assertEqual(calist[0].get("data"), {})
# test the CA connector:
config = get_caconnector_config("myCA")
self.assertEqual(config.get("WorkingDir"), "/opt/ca")
self.assertEqual(config.get("cakey"), "/opt/ca/key.pem")
# get_caconnector_object()
ca_obj = get_caconnector_object("myCA")
self.assertTrue(ca_obj.connector_type, "local")
catype = get_caconnector_type("myCA")
self.assertTrue(catype, "local")
# delete the CA connector
delete_caconnector("myCA")
# check if connector is deleted from DB
self.assertEqual(len(calist), 1)
def test_02_db_caconnector(self):
pass
# save a CA connector
ca_id = save_caconnector({"caconnector": "myCA",
"type": "local",
"cakey": "/opt/ca/key.pem",
"cacert": "/opt/ca/cert.pem"})
self.assertTrue(ca_id > 0, ca_id)
# Update the CA connector
save_caconnector({"caconnector": "myCA",
"type": "local",
"WorkingDir": "/opt/ca",
"Password": "******",
"type.Password": "******"})
# check if connector is in DB
calist = get_caconnector_list()
self.assertEqual(len(calist), 1)
calist = get_caconnector_list(filter_caconnector_type="local")
self.assertEqual(len(calist), 1)
# check the config values of "myCA"
self.assertEqual(calist[0].get("data").get("WorkingDir"), "/opt/ca")
self.assertEqual(calist[0].get("data").get("cakey"), "/opt/ca/key.pem")
# get the CA connector list without a config
calist = get_caconnector_list(return_config=False)
self.assertEqual(len(calist), 1)
# check that there are no values
self.assertEqual(calist[0].get("data"), {})
# test the CA connector:
config = get_caconnector_config("myCA")
self.assertEqual(config.get("WorkingDir"), "/opt/ca")
self.assertEqual(config.get("cakey"), "/opt/ca/key.pem")
# get_caconnector_object()
ca_obj = get_caconnector_object("myCA")
self.assertTrue(ca_obj.connector_type, "local")
catype = get_caconnector_type("myCA")
self.assertTrue(catype, "local")
# delete the CA connector
delete_caconnector("myCA")
# check if connector is deleted from DB
self.assertEqual(len(calist), 1)
def update(self, param):
"""
This method is called during the initialization process.
:param param: parameters from the token init
:type param: dict
:return: None
"""
TokenClass.update(self, param)
request = getParam(param, "request", optional)
spkac = getParam(param, "spkac", optional)
certificate = getParam(param, "certificate", optional)
generate = getParam(param, "genkey", optional)
template_name = getParam(param, "template", optional)
if request or generate:
# If we do not upload a user certificate, then we need a CA do
# sign the uploaded request or generated certificate.
ca = getParam(param, "ca", required)
self.add_tokeninfo("CA", ca)
cacon = get_caconnector_object(ca)
if request:
if not spkac:
# We only do the whole attestation checking in case we have no SPKAC
request_csr = load_pem_x509_csr(to_byte_string(request),
default_backend())
if not request_csr.is_signature_valid:
raise privacyIDEAError("request has invalid signature.")
# If a request is sent, we can have an attestation certificate
attestation = getParam(param, "attestation", optional)
verify_attestation = getParam(param, "verify_attestation",
optional)
if attestation:
request_numbers = request_csr.public_key().public_numbers()
attestation_cert = load_pem_x509_certificate(
to_byte_string(attestation), default_backend())
attestation_numbers = attestation_cert.public_key(
).public_numbers()
if request_numbers != attestation_numbers:
log.warning(
"certificate request does not match attestation certificate."
)
raise privacyIDEAError(
"certificate request does not match attestation certificate."
)
try:
verified = verify_certificate_path(
attestation, param.get(ACTION.TRUSTED_CA_PATH))
except Exception as exx:
# We could have file system errors during verification.
log.debug("{0!s}".format(traceback.format_exc()))
verified = False
if not verified:
log.warning(
"Failed to verify certificate chain of attestation certificate."
)
if verify_attestation:
raise privacyIDEAError(
"Failed to verify certificate chain of attestation certificate."
)
# During the initialization process, we need to create the
# certificate
x509object = cacon.sign_request(request,
options={
"spkac": spkac,
"template": template_name
})
certificate = crypto.dump_certificate(crypto.FILETYPE_PEM,
x509object)
elif generate:
# Create the certificate on behalf of another user.
# Now we need to create the key pair,
# the request
# and the certificate
# We need the user for whom the certificate should be created
user = get_user_from_param(param, optionalOrRequired=required)
keysize = getParam(param, "keysize", optional, 2048)
key = crypto.PKey()
key.generate_key(crypto.TYPE_RSA, keysize)
req = crypto.X509Req()
req.get_subject().CN = user.login
# Add email to subject
if user.info.get("email"):
req.get_subject().emailAddress = user.info.get("email")
req.get_subject().organizationalUnitName = user.realm
# TODO: Add Country, Organization, Email
# req.get_subject().countryName = 'xxx'
# req.get_subject().stateOrProvinceName = 'xxx'
# req.get_subject().localityName = 'xxx'
# req.get_subject().organizationName = 'xxx'
req.set_pubkey(key)
req.sign(key, "sha256")
csr = to_unicode(
crypto.dump_certificate_request(crypto.FILETYPE_PEM, req))
x509object = cacon.sign_request(
csr, options={"template": template_name})
certificate = crypto.dump_certificate(crypto.FILETYPE_PEM,
x509object)
# Save the private key to the encrypted key field of the token
s = crypto.dump_privatekey(crypto.FILETYPE_PEM, key)
self.add_tokeninfo("privatekey", s, value_type="password")
if "pin" in param:
self.set_pin(param.get("pin"), encrypt=True)
if certificate:
self.add_tokeninfo("certificate", certificate)
